[BreachExchange] Can VPNs Really Be Trusted?

Inga Goddijn inga at riskbasedsecurity.com
Wed Jun 6 23:25:19 EDT 2018


https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/can-vpns-really-be-trusted/

With hacking attacks, government surveillance and censorship constantly in
the headlines, more and more people are looking for ways to increase their
privacy online.

One of the simplest and most popular solutions is to use a virtual private
network. With a VPN, all your internet traffic is encrypted and tunneled
through a third-party server, so it can’t be traced back to you.

While this can be very effective, it must be noted that the main objective
of a VPN provider – like any other company – is to make a profit. Although
concern for the principle of web privacy may come into play, no one would
be so naive as to assume that a VPN is in it for purely altruistic purposes.

With this in mind, it’s worth asking: why should users place their trust in
VPN providers?

VPNs Have Been Known to Run into Trouble

NO SOFTWARE IS IMMUNE TO VULNERABILITIES

Ordinarily, when you connect to a website from your computer, you do so
from your IP address. However, when you use a VPN, rather than sending the
message out directly, your data first gets sent to one of the VPN’s servers
and is only then routed to its final destination.

That means that instead of seeing your IP address, the website you’re
visiting sees the IP address of the server, and no one – not your internet
security provider, the government, or hackers – is able to trace your
online activity back to you. In other words, the whole concept of achieving
web security through a VPN is based on keeping your real IP address hidden.

That’s why it was so disconcerting when a recent investigation revealed a
vulnerability in three major VPNs that caused users’ IP addresses to be
leaked. That’s not to say that IP addresses were revealed every time a
customer used the VPN, just that under certain conditions it was possible
for a hacker to divert the user’s traffic to the hacker’s server instead of
the VPN’s and gain access to the user’s real IP address.

Although this was obviously not good news, vulnerabilities like this crop
up all the time in the cybersecurity world. What’s important is how
proactive companies are in identifying and fixing them. Fortunately, two of
the providers implicated in the study have since created a patch for the
updated versions of their VPNs.

SOME VPNS HOLD ONTO YOUR DATA

In addition to maintaining tight security, it’s also crucial that a VPN
provider practice transparency. Those who have even dipped a toe into the
world of VPNs have likely seen the words “no logs” touted as an attractive
feature. This means that the VPNs themselves don’t track your internet
activity.

However, a no logs claim can denote different things for different VPNs, so
it’s crucial that the VPN you use provide a clear privacy policy on its
website. A good VPN won’t track sites visited, duration of sessions, or
store your IP address, but most will keep records of your email address and
payment information (for obvious reasons).

Users should be aware of other nuances, as well. For instance, in order to
provide better customer support, one VPN might take note of your operating
system and how much data you use, while another may forgo this for the sake
of increased privacy.

If a provider’s privacy policy doesn’t reach this level of detail, consider
it a red flag.

CERTAIN VPN MOBILE APPS HAVE BEEN FOUND TO CONTAIN MALWARE

A study by the Commonwealth Scientific and Industrial Research Organisation
found that of 283 VPN Android apps examined, 38% showed indications of
being infected with some form of malware. That said, once the researchers
controlled for a high probability of false positives, they reduced that
number to four percent. Almost half of this malware was for the purpose of
advertising.

In addition, 82% of the apps requested permission to access sensitive data,
such as user accounts and text messages, and 18% used tunneling
technologies that aren’t encrypted.

What may be more disconcerting to some is how little VPN users are aware of
potential risks. Because VPN apps require the ability to manipulate all of
your phone’s web traffic, Android sends users two warnings notifying them
of the change to their device. However, few users are likely to understand
the full implication of granting such permission to a third party.

Moreover, VPN users tend to give favorable reviews, and even when they
don’t, security is low on their list of gripes. In fact, less than one
percent of negative reviews for the VPN apps studied were related to
security concerns.

Steps You Can Take to Improve Your Security

It’s clear from many of the above examples that the primary reason VPNs
might put users’ privacy at risk is for the benefit of advertisers. From
this, we can deduce that – because they don’t need to rely on advertising
for revenue – VPNs that you have to pay for might be more trustworthy than
free VPNs.

That said, there do exist reputable free VPNs that manage to keep their
doors open without selling your data. Generally, these make their money by
openly displaying advertisements or by limiting features in order to
encourage users to upgrade to a paid plan.

And in the case of both paid and free VPNs, there are steps you can take to
ensure your privacy and security:

Carefully read your VPN’s privacy policy and ask customer support if you
have any questions or if something seems amiss.
Make sure you have antivirus software installed on your device.
Seek out objective third-parties that test and review VPNs.

As has been shown in the Android app study, VPN users tend to lack an
awareness regarding security issues. Therefore, it’s crucial to take into
account the reviews of experts who are qualified to identify potential
threats. Besides helping users choose the right VPN for them, as the
above-mentioned studies have shown, these sites also keep VPN providers on
their toes and enable them to fix vulnerabilities as they arise
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180606/21daa575/attachment.html>


More information about the BreachExchange mailing list